Selling Hemp Products to Europe? Welcome to the GDPR Nightmare.

Ever since the passage of the 2018 Farm Bill, our hemp lawyers have been getting a barrage of questions about the lawful status of hemp and hemp-derived cannabidiol (“Hemp CBD”) in the United States. The hemp laws appear to be changing in favor of a pro-hemp marketplace, but at a much slower pace than the actual U.S. market for hemp is growing.

As the market in the U.S. continues to develop, companies may shift their focus to the international market. As we recently wrote, selling hemp or Hemp CBD products in the European Union (“EU”) is one area that—sort of like in the U.S.—is bursting with various legal and regulatory concerns from the top EU agencies to the individual EU states.

In addition to the array of legal and regulatory concerns about the sale of Hemp CBD products in the EU noted in our above-linked post, the EU’s General Data Protection Regulation (“GDPR”) is something that almost any U.S.-based company doing business in the EU will need to become familiar with. And it won’t be pretty.

The GDPR is a groundbreaking EU privacy and data security regulation that went into effect on May 25, 2018. The GDPR gives EU residents a broad array of privacy rights with respect to holders of their data. EU residents have the right to, for example, request that companies delete or modify certain data about them, or even provide notification to the residents about what data they have. Companies are required to adopt very complex data security measures and enter into numerous data security contracts. Companies must disclose their privacy practices to consumers at the point of data collection (e.g., having a privacy policy, which is already required in the U.S., but on a lesser scale). And companies are only allowed to “process” (i.e., obtain or use) data upon consent or if there is another lawful basis for processing. This may not sound like a lot, but it created a worldwide rush to compliance leading up to May 2018, with many companies still trying to get their ducks in a row.

What U.S. companies need to seriously be concerned about is whether they engage in conduct that triggers GDPR compliance, which according to GDPR Article 3(2) could happen even for wholly U.S.-based companies:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

the monitoring of their behaviour as far as their behaviour takes place within the Union.

This is a very broad jurisdictional “hook”. If a U.S. company is offering goods or services—even for free—to EU residents, then GDPR may apply. Selling or even offering for sale hemp or Hemp CBD products to EU countries (assuming that there were no other regulatory barriers) thus could subject a U.S.-based operator to GDPR compliance. There is no threshold of goods that must be sold to trigger GDPR compliance, so even a few sales could theoretically require compliance.

The monitoring component is also important for companies to consider. Companies may use marketing tools to “profile” potential customers online. Applying these tools to EU residents could be another way to land oneself in GDPR compliance territory.

What happens if companies don’t comply with GDPR’s requirements if they are mandatory? First, effected EU residents may bring actions against the companies. Second, the companies could be subject to fines (see Article 83(4)–(5)) as high as €20,000,000 or four percent of a company’s annual turnover (i.e., its gross revenues). As GDPR is so new, we don’t yet know what enforcement will look like against U.S. companies and how foreign fines or judgments would be dealt with in the U.S.

The bottom line is that doing business in the EU may likely subject U.S. companies to very onerous compliance requirements. While we don’t yet have a full picture of what enforcement will look like, we wouldn’t be surprised if European regulators took a hard line against U.S. companies selling hemp or Hemp CBD products in their home states which they viewed as harmful or unlawful.